search

RequestPolicyContinued / requestpolicy

a web browser extension that gives you control over cross-site requests. Available for XUL/XPCOM-based browsers.
https://github.com/RequestPolicyContinued/requestpolicy/wiki
Other
252 stars 35 forks source link

After upgrading to FF47, "null" destination appears on some sites and functionality is broken #784

Closed fzimmerm closed 8 years ago

fzimmerm commented 8 years ago

Version: 1.0.beta12.1

Steps to reproduce:

  1. Create a new Firefox profile
  2. Set RP's default policy to "deny"
  3. Visit http://gbatemp.net/review/mighty-no-9.467/
  4. Allow *.cloudflare.com
  5. Scroll down and try to click on one of the image thumbnails

What happens?

  1. The image opens in a modal, all images scroll by very quickly and the modal closes.
  2. Notice how "null" appears as a destination. Allowing requests to it doesn't fix the issue.

What should happen?

  1. A modal showing the image and allowing navigation between images should appear.

Other, similar bug:

Steps to reproduce:

  1. Create a new Firefox profile
  2. Set RP's default policy to "deny"
  3. Install and enable the rikaichan add-on and a dictionary.
  4. Open a page with japanese characters and hover over a kanji character.

What happens?

  1. Instead of a pop-up with the translation being displayed near the cursor, an unformatted translation is displayed at the bottom of the page.
  2. Notice that "rikaichan" appeared as a destination. Globally allowing requests to it seems to fix the problem.

What should happen?

  1. A pop-up with the translation should appear near the cursor.
myrdd commented 8 years ago

Okay, seems like these are two issues. Both issues are independent of the Firefox version, i.e. they are also an issue on Fx45-esr. However, both issues have been introduced by commit https://github.com/RequestPolicyContinued/requestpolicy/commit/d1f6976b63daecab8514416654241849737c0e1e. I already expected this would break something. Thank you for reporting.

In the first issue, a request to "about:blank" is made. The fix will be to globally allow requests to "about:blank" again. Fyi, you can read about about:blank in the NoScript FAQ.

The rikaichan add-on causes a request from the website's url to chrome://rikaichan/skin/popup-blue.css. This request should be allowed in case the rikaichan add-on is installed.

I'm planning to release a hotfix this weekend. Until then, please use beta11.1 to work around the first issue.

myrdd commented 8 years ago

Regarding the second issue, I'm going to allow chrome://*/skin/, since other Add-ons need this as well (see e.g. this review).

Allowing chrome://*/skin/ seems to be safe; it looks like Fx does security checks on "chrome" uris. See this screenshot of my test: screenshot of trying to access a skin file, fails with security error The site tries to show an image with the given URI. The error message is Security Error: Content at http://www.maindomain.test/internal-destinations_1.html may not load or link to chrome://rpcontinued/skin/requestpolicy-icon-blocked.png., and RP is not even asked whether the request should be allowed.

myrdd commented 8 years ago

Should be fixed in 1.0.beta12.2 and 1.0.beta12.2.1508.rbb94a69.pre.